This section describes a few common procedures for creating and managing keys and certificates using certutil and pk12util. For details on certutil and pk12util, see Using Network Security Services (NSS) Tools and documentation on the NSS Security Tools site at http://www.mozilla.org/projects/security/pki/nss/tools.
By configuring a PKCS#11 provider in the java.security properties file (located in the JAVA_HOME/jre/lib/security directory of the Java runtime), you can also use the J2SE keytool utility to manage keys and certificates.
This section describes the following topics:
To list the keys and certificates in the configured PKCS#11 tokens, run the following command:
certutil -L -d AS_NSS_DB [-h tokenname]
For example, to list the contents of the default NSS soft token, type:
certutil -L -d AS_NSS_DB
The standard output will be similar to the following:
verisignc1g1 T,c,c verisignc1g2 T,c,c verisignc1g3 T,c,c verisignc2g3 T,c,c verisignsecureserver T,c,c verisignc2g1 T,c,c verisignc2g2 T,c,c verisignc3g1 T,c,c verisignc3g2 T,c,c verisignc3g3 T,c,c s1as u,u,u |
The output displays the name of the token in the left column and a set of three trust attributes in the right column. For Application Server certificates, it is usually T,c,c. Unlike the J2SE java.security.KeyStore API, which contains only one level of trust, the NSS technology contains several levels of trust. Application Server is primarily interested in the first trust attribute, which describes how this token uses SSL. For this attribute:
T indicates that the Certificate Authority (CA) is trusted for issuing client certificates. |
u indicates that you can use the certificates (and keys) for authentication or signing. |
The attribute combination of u,u,u indicates that a private key exists in the database. |
To list the contents of the hardware token, mytoken, run the following command:
certutil -L -d AS_NSS_DB -h mytoken
You will be prompted for the password for the hardware token. The standard output is similar to the following:
Enter Password or Pin for "mytoken": mytoken:Server-Cert 	u,u,u |
Use certutil to create self-signed certificates and to import or export certificates. To import or export private keys, use the pk12util utility. For more details, see Using Network Security Services (NSS) Tools
In Application Server, do not modify the NSS password directly with the NSS tools certutil and modutil. If you do so, security data in Application Server might be corrupted.